[RADIATOR] A way to verify that the number of failed attempt is lesser than 3 in the las 30 minutes
Anders Bandholm
Anders.Bandholm at uni-c.dk
Wed May 22 12:17:32 CDT 2013
On Wed, May 22, 2013 at 03:09:20PM +0000, Pascal Beauregard wrote:
> Hi,
>
> We would like to block request to our Active Directory if a wireless
> user have been rejected 3 times in the last 30 minutes.
>
> We have Cisco Wireless Controllers, Radiator and AD. In a university
> environment a lot of our users have multiple wireless devices all
> authenticating trough Radiator and AD. We have a password expiration
> delay of 6 monts in AD. When the password expire for a user, the
> wireless devices of that user tries to authenticates to the wireless
> network over and over until the AD account is locked. The account is
> locked for 30 minutes.
>
> So if Radiator can do that, we would like to block authentication
> request after 3 unsuccessful requests in the last 30 minutes before
> doing the AuthByNTLM.
>
> I presume, we are not the only organization that face this issue.
No :-)
We have a similar setup, and I believe it was solved in the configuration
of the Cisco controllers. The values were fiddled in both the AD and
the WLC so that the controller blocks the account (temporarily) before
the AD locks the account.
If you prefer to do this in Radiator you might want to do the check in
a PostAuthHook. If you have one Radiator only, you can keep the number
of bad logins in a Perl hash inside Radiator itself, but if you have
more Radiators you need a shared cache or database. We use memcached
for this purpose (in another context not related to AD)
I wrote a few tips on this (and other things) last year:
http://www.open.com.au/pipermail/radiator/2012-December/018755.html
Cheers,
Anders
--
Anders Bandholm, UNI-C, Aarhus
Anders.Bandholm at uni-c.dk (+45) 8937-6645 Fax: (+45) 8937-6677
PGP: id=0x0DD38396; fp=9FDE 3B13 6CA3 BD03 7BF1 7062 E694 D295 0DD3 8396
More information about the radiator
mailing list